Elgato_dark/OpenMetadata
1
0
Fork 0
mirror of https://github.com/open-metadata/OpenMetadata synced 2026-05-24 09:39:11 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 5
OpenMetadata/openmetadata-k8s-operator/pom.xml
Ram Narayan Balaji 339b3dfb18
fix(security): upgrade Java dependencies to resolve CRITICAL and HIGH CVEs (#27940) 
* fix(security): upgrade Java dependencies to resolve CRITICAL and HIGH CVEs

- jetty-http: 12.1.6 → 12.1.7 (HTTP Request Smuggling, CRITICAL)
- bcpkix/bcprov/bcutil-jdk18on: 1.80 → 1.84 (Crypto Signature Bypass + Timing Attack)
- postgresql: 42.7.7 → 42.7.11 (SCRAM-SHA-256 DoS)
- httpcore5-h2: pinned to 5.3.5 (HTTP/2 stream reset DoS)
- commons-compress: pinned to 1.26.0 (Infinite Loop DoS)
- jackson-core: 2.18.6 → 2.19.0 (async parser resource exhaustion)
- maven-shade-plugin: 3.5.1 → 3.6.0 (supports Java 22 MR-JAR in jackson-core 2.19.0)
- openapi-generator template override: jackson-version 2.17.1 → 2.19.0 in generated swagger pom

* fix(security): upgrade spring-web 6.2.11 → 6.2.18

* fix(security): align jackson-dataformat-yaml, feign, gson, logback versions

- jackson-dataformat-yaml: 2.17.2 → ${jackson.version} (2.19.0)
- feign-core: 13.2.1 → 13.5 (in openapi-gen template)
- gson: 2.10.1 → 2.11.0 (in openapi-gen template)
- logback-classic: 1.3.13 → 1.5.25 (in openapi-gen template)

* fix(security): use jackson 2.18.7 — highest clean 2.x with full ecosystem

2.19.0-2.21.0 all carry a HIGH (CVSS 8.7) vulnerability per Sonatype.
2.18.7 is the latest clean patch where all Jackson modules are released.

* fix(security): remove hardcoded jackson 2.17.2 override in k8s-operator, inherit 2.18.7 from root

* fix(security): upgrade gson 2.11.0 → 2.13.1 (Medium CVE)

* fix(security): replace 436-line pom.mustache with minimal stub

The openapi-generator-maven-plugin writes target/generated-sources/swagger/pom.xml
at build time with hardcoded jackson 2.17.1. Snyk --all-projects picks up every
pom.xml on disk and flags it as HIGH.

The generated pom.xml is never packaged into any JAR or Docker image — it is a
generator artefact. The actual runtime jackson version comes from the module pom
inheriting jackson.version=2.18.7 from the root. Replace the 436-line verbatim
upstream template (maintained just to change 2 version lines) with a 10-line
coordinate-only stub. The generated pom.xml will have no <dependencies> block,
so Snyk finds nothing to flag.
2026-05-07 09:19:10 +00:00

227 lines
8.1 KiB
XML
Raw Permalink Blame History

<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
<parent>
<artifactId>platform</artifactId>
<groupId>org.open-metadata</groupId>
<version>1.12.0-SNAPSHOT</version>
</parent>
<modelVersion>4.0.0</modelVersion>
<artifactId>openmetadata-k8s-operator</artifactId>
<name>OpenMetadata Kubernetes Operator</name>
<description>Kubernetes operator for guaranteed exit handler execution in pipeline jobs</description>
<properties>
<maven.compiler.source>21</maven.compiler.source>
<maven.compiler.target>21</maven.compiler.target>
<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
<!-- Java Operator SDK version -->
<java-operator-sdk.version>4.9.2</java-operator-sdk.version>
<!-- Kubernetes client version (should match openmetadata-service) -->
<kubernetes-client.version>21.0.1</kubernetes-client.version>
</properties>
<dependencies>
<!-- Java Operator SDK -->
<dependency>
<groupId>io.javaoperatorsdk</groupId>
<artifactId>operator-framework-core</artifactId>
<version>${java-operator-sdk.version}</version>
</dependency>
<!-- HTTP client for Kubernetes client - compatible with operator SDK 4.9.2 -->
<dependency>
<groupId>io.fabric8</groupId>
<artifactId>kubernetes-httpclient-okhttp</artifactId>
<version>6.12.0</version>
</dependency>
<!-- Jackson for JSON processing -->
<dependency>
<groupId>com.fasterxml.jackson.core</groupId>
<artifactId>jackson-databind</artifactId>
<version>${jackson.version}</version>
</dependency>
<dependency>
<groupId>com.fasterxml.jackson.dataformat</groupId>
<artifactId>jackson-dataformat-yaml</artifactId>
<version>${jackson.version}</version>
</dependency>
<!-- Logging -->
<dependency>
<groupId>org.slf4j</groupId>
<artifactId>slf4j-api</artifactId>
</dependency>
<dependency>
<groupId>ch.qos.logback</groupId>
<artifactId>logback-classic</artifactId>
</dependency>
<!-- Micrometer Prometheus Metrics -->
<dependency>
<groupId>io.micrometer</groupId>
<artifactId>micrometer-registry-prometheus</artifactId>
<version>1.14.5</version>
</dependency>
<dependency>
<groupId>io.micrometer</groupId>
<artifactId>micrometer-core</artifactId>
<version>1.14.5</version>
</dependency>
<!-- Cron parsing for CronOMJob scheduling -->
<dependency>
<groupId>com.cronutils</groupId>
<artifactId>cron-utils</artifactId>
<version>9.2.1</version>
</dependency>
<!-- OpenMetadata common types (for sharing OMJob model) -->
<dependency>
<groupId>org.open-metadata</groupId>
<artifactId>openmetadata-service</artifactId>
<version>${project.version}</version>
<scope>provided</scope>
</dependency>
<!-- Validation -->
<dependency>
<groupId>org.hibernate.validator</groupId>
<artifactId>hibernate-validator</artifactId>
<version>8.0.1.Final</version>
</dependency>
<!-- Testing -->
<dependency>
<groupId>org.junit.jupiter</groupId>
<artifactId>junit-jupiter</artifactId>
<version>5.9.3</version>
<scope>test</scope>
</dependency>
<dependency>
<groupId>org.mockito</groupId>
<artifactId>mockito-core</artifactId>
<version>5.7.0</version>
<scope>test</scope>
</dependency>
<dependency>
<groupId>org.mockito</groupId>
<artifactId>mockito-junit-jupiter</artifactId>
<version>5.7.0</version>
<scope>test</scope>
</dependency>
<dependency>
<groupId>org.testcontainers</groupId>
<artifactId>junit-jupiter</artifactId>
<version>1.20.3</version>
<scope>test</scope>
</dependency>
<dependency>
<groupId>org.testcontainers</groupId>
<artifactId>k3s</artifactId>
<version>1.20.3</version>
<scope>test</scope>
</dependency>
</dependencies>
<build>
<plugins>
<!-- Maven compiler plugin -->
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-compiler-plugin</artifactId>
<version>3.13.0</version>
<configuration>
<source>21</source>
<target>21</target>
<encoding>UTF-8</encoding>
</configuration>
</plugin>
<!-- Spring Boot Maven plugin for creating fat JAR -->
<plugin>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-maven-plugin</artifactId>
<version>3.3.5</version>
<executions>
<execution>
<goals>
<goal>repackage</goal>
</goals>
</execution>
</executions>
<configuration>
<mainClass>org.openmetadata.operator.OMJobOperatorApplication</mainClass>
<classifier>boot</classifier>
</configuration>
</plugin>
<!-- Dockerfile Maven plugin for container image -->
<plugin>
<groupId>com.spotify</groupId>
<artifactId>dockerfile-maven-plugin</artifactId>
<version>1.4.13</version>
<configuration>
<repository>docker.getcollate.io/openmetadata/omjob-operator</repository>
<tag>${project.version}</tag>
<buildArgs>
<JAR_FILE>target/${project.build.finalName}-boot.jar</JAR_FILE>
</buildArgs>
</configuration>
</plugin>
<!-- Surefire plugin for unit tests -->
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-surefire-plugin</artifactId>
<version>3.2.5</version>
<configuration>
<includes>
<include>**/*Test.java</include>
</includes>
</configuration>
</plugin>
<!-- Failsafe plugin for integration tests -->
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-failsafe-plugin</artifactId>
<version>3.2.5</version>
</plugin>
</plugins>
</build>
<profiles>
<!-- Profile for building Docker image -->
<profile>
<id>docker</id>
<build>
<plugins>
<plugin>
<groupId>com.spotify</groupId>
<artifactId>dockerfile-maven-plugin</artifactId>
<executions>
<execution>
<id>build-image</id>
<phase>package</phase>
<goals>
<goal>build</goal>
</goals>
</execution>
</executions>
</plugin>
</plugins>
</build>
</profile>
</profiles>
</project>
Reference in a new issue View git blame Copy permalink